b'             REPORT ON THE FOLLOW-UP AUDIT OF PHYSICAL\n\n                SECURITY OF THE LOCAL AREA NETWORK\n\n\n\n\n                         Table of Contents\n\n                                                             Page\n\nEXECUTIVE DIGEST ............................................   1\n\nAUDIT OBJECTIVE .............................................   3\n\nAUDIT SCOPE .................................................   3\n\nBACKGROUND ..................................................   3\n\nFINDING No. 1 - Weaknesses Continue To Exist In The\n                Physical And Environmental Security of\n                Critical Network Hardware\n\n     o   Details of Finding .................................. 5\n     o   Recommendations/Management Response ................. 13\n\nFINDING No. 2 - Inadequate Management of Laptop Computer\n                Resources\n\n     o   Details of Finding .................................. 15\n     o   Recommendations/Management Response ................. 20\n\nAPPENDIX - Managing Director\'s Response to the Draft Audit\n           Report\n\x0cEXECUTIVE DIGEST\n\nIn March 1994, the Office of Inspector General (OIG) issued an\naudit report entitled "Report on the Audit of Physical Security\nof the Local Area Network." In that report, the OIG concluded\nthat the Federal Communications Commission (FCC) had not\nestablished internal controls which adequately protect components\nof the FCC network from physical and environmental threats. Such\nphysical and environmental threats to the network include\ndeliberate intrusion, natural and/or man-made hazards, damage or\ntheft of equipment, and unauthorized access to data.\n\nThe objective of this audit was to determine whether the\nCommission had implemented a corrective action program in\nresponse to our March 1994 audit report. An additional objective\nwas to evaluate the controls in place to ensure the protection of\nnetwork microcomputer workstations and laptops from physical and\nenvironmental threats.\n\nDuring the review we found significant improvements in the\nCommission\'s computer security program. For example, in our\nMarch 1994 report we reported that the Commission had not\nconducted a risk analysis or prepared a computer security plan\nfor the network as required by the Computer Security Act of 1987.\n During this review we examined the Commission\'s risk assessment\nand security planning activities and determined that a network\nrisk assessment was completed and a comprehensive security 2-year\nplan has been developed based, in part, on that assessment. In\naddition, the Commission issued a final version of Directive\nFCCINST 1479.1 entitled "FCC Computer Security Directive." This\nDirective provides a comprehensive framework for managing\ncomputer security on the variety of hardware and software\nplatforms used by the Commission.\n\nAlthough we recognize significant progress in the Commission\'s\ncomputer security program, we found that further improvements in\nphysical and environmental security controls are necessary to\nadequately protect the network from physical and environmental\nthreats. In addition, our review identified weaknesses in the\nmanagement of laptop computers.\n\nThe FCC has become increasingly dependent upon its automated\nsystems. Interruption to services provided by the Local Area\nNetwork (LAN), which include access to databases, E-mail, and the\nInternet, would be extremely disruptive to the Commission. Loss\nof network and portable computing resources would have an\nimmediate and profound effect on employee productivity and would\nimpact the Commission\'s ability to conduct business. This would\ninclude the Chairman, Commissioners, and their respective staffs.\n For example, the E-mail system would be disabled and information\non Commission databases could not be retrieved. Physical and\nenvironmental controls, i.e., locks, fire extinguishers,\nuninterruptable power supplies (UPS), etc., help ensure that\nthese scenarios do not occur. These measures can be readily\n\x0cadopted at a reasonable cost and, in the case of fire\nextinguishers and UPS, are transportable within the current FCC\nspace or to the Portals as is projected for mid-1997.\n\nThe Managing Director has concurred with each of our\nrecommendations and has provided a timetable for implementing\ncorrective action. Excerpts from the Managing Director\'s\nresponse to our draft report are incorporated under the\nappropriate audit recommendation. The entire response is\ncontained in the Appendix to this report.\n\x0cAUDIT OBJECTIVE\n\nThe first objective of this audit was to determine the status and\neffectiveness of corrective actions which were instituted as a\nresult of recommendations contained in a March 1994 OIG audit\nreport entitled "Report on the Audit of Physical Security of the\nLocal Area Network." An additional objective was to examine the\nphysical and environmental security of network microcomputer\nworkstations and laptop computers.\n\nAUDIT SCOPE\n\nThe audit was conducted in accordance with Generally Accepted\nGovernment Auditing Standards, and included such analysis,\ninterviews and testing as required to support the audit findings.\n\nThe scope of this review was limited to the network and\nmicrocomputer workstations operating in FCC Headquarters office\nspace. The scope of our assessment of physical and environmental\nsecurity of laptop computers was not geographically limited\n(i.e., laptop computers assigned to field components were\nincluded in the review).\n\nAudit fieldwork was primarily performed within the Office of the\nManaging Director (OMD) from October 1995 through February 1996.\n\nBACKGROUND\nOn December 24, 1985, the Office of Management and Budget (OMB)\nissued Circular No. A-130. This Circular provides a general\npolicy framework for management of Federal information resources.\n The Circular implements provisions of the Paperwork Reduction\nAct of 1980 as well as other statutes, Executive Orders, and\npolicies concerning general information policy, information\ntechnology, privacy, and maintenance of Federal records. In\naddition, the Circular places specific responsibility on the head\nof each agency to "(e)nsure that the information policies,\nprinciples, standards, guidelines, rules and regulations\nprescribed by OMB are implemented appropriately within the\nagency."\n\nAppendix III to OMB Circular No. A-130, entitled "Security of\nFederal Automated Information Systems", establishes a minimum set\nof controls to be included in Federal automated information\nsystems security programs. The appendix specifically requires\nthat agencies shall:\n\na.Assure that there are appropriate technical, personnel,\n     administrative, environmental, and telecommunications\n     safeguards in automated information systems;\n\n\n\n                                3\n\x0cb.Assure the continuity of operations of automated information\n     systems that support critical agency functions;\n\nc.Implement and maintain an automated information systems\n     security program, including the preparation of policies,\n     standards, and procedures;\n\nd.Assure that an appropriate level of security is maintained at\n     all information technology installations operated by or on\n     behalf of the Federal Government.\n\nOn January 8, 1988, the President signed the Computer Security\nAct of 1987 into law. The purpose of the law was to recognize\nthat "improving the security and privacy of sensitive information\nin Federal computer systems is in the public interest." The law\n"creates a means for establishing minimum acceptable security\npractices for such systems, without limiting the scope of\nsecurity measures already planned or in use."\n\nIn March 1994, the OIG issued an audit report entitled "Report on\nthe Audit of Physical Security of the Local Area Network." In\nthat report, the OIG concluded that the Commission had not\nestablished internal controls which adequately protect components\nof the FCC network from physical and environmental threats. In\naddition, the OIG concluded that this condition resulted in an\nincreased risk and magnitude of harm that could result from a\nwide variety of physical threats and environmental hazards to the\nnetwork including deliberate intrusion, natural and/or man-made\nhazards, damaged or stolen equipment, and unauthorized access to\ndata.\n\n\n\n\n                                4\n\x0cFinding No. 1 - Weaknesses Continue To Exist In The Physical\n                And Environmental Security of Critical Network\n                Hardware\n\nIn the "Report On The Audit Of Physical Security Of The Local\nArea Network," dated March 30, 1994, the OIG reported the results\nof our tests of physical and environmental security in computer\nhub rooms in the 1919 M Street headquarters facility. For\npurposes of this review, we have defined a computer hub room as\nan area containing core network hardware (e.g., file servers,\nrouters, patch panels, etc.). The report concluded that the\nCommission had "not established adequate physical security\ncontrols to protect critical LAN hardware from physical threats."\n In addition, we concluded that "(t)he FCC has not protected some\ncritical LAN components from environmental hazards." We\nrecommended implementation of a series of controls to improve the\nphysical and environmental security of network hardware.\nManagement concurred with our recommendations and established a\ntime table to effect the action required to correct the\nidentified deficiencies.\n\nAs part of this review, we examined the corrective action taken\nby the Commission to improve physical and environmental security\nin computer hub rooms containing network equipment. In addition\nto assessing managements activity resulting from our March 30,\n1994, audit report, the scope of this follow-up review was\nexpanded to include hub rooms in the following FCC headquarters\noffice space:\n\n     \xc2\xb72000   M Street\n     \xc2\xb72025   M Street\n     \xc2\xb72033   M Street\n     \xc2\xb71250   23rd Street\n     \xc2\xb72000   L Street\n\nDuring the review, we identified physical and environmental\nsecurity weaknesses which had been identified and reported in our\nprevious audit. During audit testing, we identified the\nfollowing conditions: (1) computer hub rooms, including the FCC\ndata center, which were not physically secured during and after\nbusiness hours; (2) hub rooms which did not employ cypher locks\non all points of entry nor deploy additional security devices\n(e.g., door locks) when those devices were available; (3) hub\nrooms in which equipment was not properly protected from\naccidental disconnection; (4) lack of smoke detection and fire\nsuppression in computer hub rooms; (5) hub rooms which showed\nsigns of water damage; and (6) hub rooms which were excessively\ndirty.\n\nInadequate physical and environmental security controls threaten\nthe viability of the network by increasing the risk of damage to\n\n\n                                5\n\x0cequipment (whether willful or inadvertent), theft of equipment,\nand unauthorized access to data.\n\nThese conditions resulted from: (1) physical space restrictions\nduring network installation requiring commingling of network\nequipment with common work areas and items; (2) lack of employee\nawareness of security requirements; (3) budget restrictions; and\n(4) inadequate planning for physical and environmental security\nduring expansion.\n\nRequirements For The Physical And Environmental Security Of\nCritical Network Resources Are Well Established By Government\nRegulation And Industry Standards\n\nThe requirement for physical and environmental security of\ncomputer equipment is addressed in Federal and Agency regulation.\n Office of Management and Budget (OMB) Circular No. A-130,\nentitled "Management of Federal Information Resources",\nestablishes a minimum set of controls to be included in Federal\nautomated information systems security programs. The Circular\nstates that agencies shall "assure that there are appropriate\ntechnical, personnel, administrative, environmental, and\ntelecommunications safeguards in automated information systems"\nand that agencies "assure the continuity of operation of\nautomated information systems that support critical agency\nfunctions." Furthermore, FCC Directive 1479.1, entitled "FCC\nComputer Security Program", addresses guidelines for the\nprotection of FCC computer systems. The Directive establishes\nthat "offices and work areas where FCC computer systems are\nlocated must be physically secured when unattended." The\nDirective recognizes that "(a)dequate controls should be employed\nconsistent with the value, exposure and sensitivity of the\ninformation and equipment that is to be protected."\n\nIn December 1990, the Institute for Internal Auditors published\nthe Systems Auditability and Control Report, hereafter referred\nto as the "SAC Report." The SAC Report is the result of a major\nresearch project conducted by top professionals in the\ninformation systems audit profession and provides comprehensive\nguidance on information technology and information systems\nauditing. Requirements for strong physical and environmental\nsecurity are recognized in several modules of the SAC Report. In\nmodule four, entitled "Managing Computer Resources", the SAC\nReport recognizes that "(a) well-designed security program\naddresses physical security" and that physical security "should\nbe designed to: Prevent unnecessary and unauthorized access to\nthe computer room and equipment; and prevent unauthorized access\nto computer operations areas." Module nine of the SAC Report,\nentitled "Security", states that "(w)ith the expanded reliance on\nInformation System (IS) data and resources, security has become\nfundamental to the ongoing viability of most organizations" and\n\n\n                                6\n\x0cthat physical security "is the most basic and commonly addressed\nform of IS control."\n\nWith respect to environmental security, module nine of the report\ndiscusses the risks presented by environmental hazards including\nfire and water damage, as well as damage from "pollutants in the\nair or from chemicals used in or near the environment where the\ninformation systems are located." Chapter three of this module\ndirectly addresses the need for smoke detection and fire\nextinguishing equipment reporting that "(f)ire and flood, along\nwith the resultant damage caused by fire extinguishing procedures\n(smoke and water damage), are two of the most common causes of\ndamage to IS equipment and records.\n\nThe Commission Has Not Provided Adequate Physical And\nEnvironmental Security For Computer Hub Rooms Containing Critical\nNetwork Components\n\nThe Commission has distributed critical network hardware to a\nseries of rooms (hereafter referred to as "hub rooms") throughout\nthe buildings being used by headquarters personnel. Hub rooms\nvary in complexity from those which contain only "patch panels"\n(connecting vertical and horizontal cabling) to those containing\nnetwork file servers and database servers. The core components\nof the FCC network are located in the FCC Data Center (Room M10\nof the 1919 M Street facility). Equipment in the Data Center\nprovides network connectivity to other headquarters buildings,\nfield offices, the Laurel laboratory, the Gettysburg facility,\nand the Auction site located on Massachusetts Avenue in\nWashington, DC. In addition, the Commission\'s modem pool\n(providing dial-in/dial-out services) and many of the network\ndatabase servers are located in the Data Center.\n\nAs part of our testing of physical and environmental security\ncontrols, we:\n\n     -reviewed policies and procedures established to control\n          access to hub rooms;\n\n     -identified the locations of these hub rooms and conducted\n          tests, both during and after business hours, to\n          determine the status of physical and environmental\n          security in these areas;\n\n     -examined the security measures (e.g., cypher locks, key\n          locks, Uninterruptable Power Supply (UPS), fire\n          control, etc.) taken to protect computer hub rooms;\n\n     -interviewed representatives from the Office of the\n          Associate Managing Director - Operations to develop an\n          understanding of controls over building access and\n\n\n                                7\n\x0c          egress;\n\n     -surveyed personnel with hub room access to determine\n          familiarity with security requirements; and\n\n     -examined that results of self testing conducted by the FCC\n          Computer Security Officer.\n\nOn November 21 and 22, 1995, we conducted an inspection of\ncomputer hub rooms in six FCC headquarters buildings. The\ninspection was conducted during business hours. During the\ninspection, accompanied by the FCC Computer Security Officer, we\ntested the physical and environmental security controls in place\nin twenty-six computer hub rooms. During that testing we\nidentified the following weaknesses:\n\n     \xc2\xb7    Eight of the hub rooms inspected were not physically\nsecure during our testing. The severity of this finding is\ncompounded by the fact that, during the inspection, we were\nchallenged for identification on only one occasion by an FCC\nemployee. In fact, in several cases we were directed to\nunsecured hub rooms by helpful FCC personnel. It should be noted\nthat we did not display FCC identification nor were we familiar,\nas a rule, to persons in the areas we visited. In fact, on the\nsecond day of our inspection we were dressed in casual attire.\n\n     \xc2\xb7    Thirteen of the hub rooms inspected had one or more\nentry points that did not employ a cypher lock security. In some\ncases, these entry points were equipped with a key lock security\nfeature that was being used at the time the testing was\nconducted. However, in other cases, these entry points were\nunsecured. In one hub room the cypher lock had been disabled to\nallow access to the room. In another case a sign on the door\nwarns users "Do Not Lock Door."\n\n     \xc2\xb7    Seventeen of the hub rooms inspected were being\nutilized as "shared" space and were not dedicated to supporting\nthe network backbone. Many of the hub rooms contained unused\nfurniture, file cabinets, printers, fax machines, book cases, and\nother non-network related materials. Use of hub rooms for\npurposes other than support of the network significantly\nincreases the risk of willful or inadvertent damage to equipment,\ntheft of equipment, and unauthorized access to data.\n\n     \xc2\xb7    In three of the hub rooms inspected, we observed\ncabling which was not properly protected from accidental\ndisconnection. Two of these hub rooms were being used as\n"shared" space.\n\n     \xc2\xb7    None of the hub rooms inspected were equipped with\nsmoke detection equipment.\n\n\n                                8\n\x0c     \xc2\xb7    Six of the hub rooms inspected contained evidence of\nwater damage. In one location there was evidence of significant\nwater damage. Some of the damage was on the ceiling above\nnetwork equipment.\n\n     \xc2\xb7    Fourteen of the hub rooms did not have a fire\nextinguisher within fifty feet. In fact, the only hub rooms that\nhad this equipment nearby were those located near the elevators\nin the 1919 M Street building.\n\n     \xc2\xb7    A file server in one of the hub rooms was not equipped\nwith an operational Uninterruptable Power Supply (UPS). UPS\nequipment provides backup in the event of a power failure. In\naddition, we observed cleaning solvents stored in this hub room.\n Fumes from these solvents may cause damage to sensitive network\ncomponents. In addition to solvents, we observed that many of\nthe hub rooms inspected were not properly maintained. Many of\nthe rooms contained old newspapers, magazines, food containers,\netc.\n\nFor security reasons, we have provided the Managing Director with\na comprehensive listing of hub rooms tested and weaknesses\nidentified by location under separate cover.\n\nThe FCC Data Center Was Not Physically Secured After Business\nHours\n\nThe core of the FCC\'s information network is located on the\nmezzanine level of the 1919 M Street facility. Specifically, the\ndata center contains numerous network file servers, data base\nservers, telecommunications equipment, network hub equipment, and\nbackup equipment. Traditionally, due to the sensitivity of the\ndata maintained at such a site, high value of the equipment, and\nenvironmental sensitivity, control over access is carefully\nadministered. In fact, access via card key, cypher locks, and\nuse of biometric devices are routine in many data centers.\n\nOn December 12, 1995, representatives from the OIG went to the\ndata center to evaluate the physical security of the\nworkstations. Expecting stringent access security, the auditors\nwere surprised to discover no hindrance to entrance. After\ngaining entrance, the auditors toured the data center looking for\non duty personnel. No personnel were found in the area. During\na second visit later that evening, auditors observed and\nphotographed numerous network file servers (including a file\nserver "mirroring" the auction file server), telecommunications\nequipment, UNIX data base servers (figure 1 on page 11), boxed\nUNIX equipment, numerous personal computers, and other computer\nequipment.\n\n\n\n                                9\n\x0cDuring our inspection of the data center, we noted access from\nthe data center to the loading dock in the rear of the 1919 M\nStreet building existed via an elevator. At the time of our\nvisit, we observed that the elevator latch was in place and that\nthe elevator was secure (figure 2 on page 11). However, in a\nprevious building security tour, conducted with representatives\nfrom the AMD-O security office, AMD-IM, and the contract security\nforce, we observed that: (1) this elevator was not secured while\nnot in use, and (2) the rear loading dock was unsecured. We were\ninformed by a representative from the contract security force\nthat these conditions are occasionally observed during routine\nsecurity checks. In our opinion, the severity of the data center\nphysical security weakness we identified is compounded by this\nweakness in building access control.\n\nWe contacted representatives from AMD-IM to determine the reason\nfor this condition and to determine what steps would be taken to\nprevent a recurrence. We were informed that "a simple oversight\nin checking the front door was the cause of the center being left\nopen." The AMD-IM response went on to note that "Data Center\nstaff have been instructed to verify that all access points are\nsecured before closing the Data Center."\n\nOn February 21, 1995, representatives from the OIG met with the\nFCC Computer Security Officer and were provided with an update on\nsecurity enhancements in the data center. In addition, we\nconducted an inspection of the data center and were briefed on\nplanned controls.\n\n\n\n\n                               10\n\x0cfigure 1: OIG Auditor standing in front of UNIX database\n         servers located in the FCC Data Center\n\n\n\n\n                          11\n\x0cfigure 2: Elevator providing access from the FCC Data\n            Center to the rear loading dock\n\n\n\n\n                         12\n\x0cPhysical And Environmental Security Weaknesses Threaten Network\nViability\n\nRisks associated with inadequate physical and environmental\nsecurity controls include: unauthorized access to computer\nequipment; possible willful or inadvertent loss or destruction of\nequipment; and theft, unauthorized copying, modification, or\ndestruction of data. The risk is compounded by the accessibility\nto FCC work areas by non-FCC personnel such as contractors,\nmessengers, and cleaning personnel. In addition, a tested\nContinuity of Operations Plan (COOP), normally a significant\nmitigating control feature, has not been developed for the FCC\nnetwork. A recently published 2-year computer security plan\nindicates that COOP development efforts will begin in the 3rd\nquarter of FY96.\n\nSeveral Conditions Have Prevented Implementation Of A Strong\nPhysical And Environmental Security Control Program\n\nThe weaknesses identified have resulted from several conditions\nincluding: (1) space restrictions which have impacted unfavorably\nupon secure network installation; (2) lack of employee awareness\nof security requirements; (3) budget restrictions; and (4)\ninadequate planning for physical and environmental security\nduring expansion.\n\nIn our initial review of network physical security (as reported\nin our audit report dated March 30, 1994), we questioned AMD-IM\nmanagement about the use of "shared" space for network hub rooms.\n We were informed that many of the rooms being used are\n"controlled by the various Bureaus" and that "(t)hese rooms were\nthe only rooms made available by the B/O, several years ago when\nOMD asked for space to put in their Departmental Computers." We\nwere further informed that "(t)here was and still is no space on\nthese floors to make as secure an area as desired." We stated in\nthat report that "the importance of reducing the risk ...\noutweighs any inconveniences that might be imposed." We continue\nto hold this opinion.\n\nDuring our inspection of hub rooms throughout FCC headquarters\nwork space we were repeatedly directed to hub rooms by FCC\npersonnel without being challenged for identification. In our\nopinion, this indicates a lack of awareness on the part of FCC\npersonnel of their security responsibilities. FCC Directive\n1479.1, entitled "FCC Computer Security Program," establishes\nthese responsibilities and states that "FCC users have a\nresponsibility to create and maintain a secure work environment,\nand to protect the computer assets used to fulfill business\nactivities."\n\n\n\n\n                               13\n\x0cImprovements Have Resulted Since OIG Report Issuance\n\nThe Commission\'s computer security program has seen significant\nimprovement since our March 1994 audit. For example, the\nCommission has issued a network risk assessment and a\ncomprehensive security 2-year plan. In addition, the Commission\nissued a final version of Directive FCCINST 1479.1 entitled "FCC\nComputer Security Directive." This Directive provides a\ncomprehensive framework for managing computer security on the\nvariety of hardware and software platforms used by the\nCommission. Unfortunately, several of the planned security\nactivities that impact physical and environmental security are on\nhold because of funding problems. For example, Continuity of\nOperations Planning activities will be delayed until budget\nresolution. In addition, we were informed that "the need for\nfire extinguishers in some Hub Rooms requires funding which is\ncurrently unavailable."\n\nThe scope of our March, 1994, audit report was limited to\ncomputer hub rooms in the 1919 M Street building. In that\nreport, we made specific recommendations for the implementation\nof physical and environmental security controls for those hub\nrooms where weaknesses were identified. During testing conducted\nas part of this review, we noted that the controls recommended\nfor 1919 M Street hub rooms had been implemented. However,\nphysical and environmental security does not appear to have been\nadequately addressed during the establishment of hub rooms in\nheadquarters expansion facilities.\n\nPlanned FCC Move To Portals\nThe OIG recognizes that many of the concerns addressed in this\nreport will be negated when the Commission moves to new office\nspace in the "Portals" facility. However, in our opinion, the\nrisks associated with the conditions we have identified in this\nreview require that action be taken to protect network equipment\nprior to that move.\n\nRecommendation for Corrective Action 1 of 4\nThe Managing Director take immediate steps to ensure the physical\nsecurity of areas in which critical network resources are\nlocated. These steps should include (1) resolution of the shared\nspace issue by either physical isolation of equipment within the\nshared space or removal of non-network materials from the area;\nand (2) installation of cypher locks in all hub rooms containing\nnetwork hardware. In addition, we recommend that the Managing\nDirector take steps to periodically remind FCC personnel of their\nsecurity responsibilities.\n\n\n\n                               14\n\x0cManagement Response\n\nThe Managing Director has concurred with the recommendation and\nhas recognized actions taken by AMD-IM to improve physical\nsecurity in computer hub rooms. In addition, the Managing\nDirector stated that "AMD-IM and the Associate Managing Director\n- Operations (AMD-O) staff are installing cipher locks in key\nnetwork spaces not currently equipped with such devices" and that\n"(b)oth groups are also working to improve existing physical\nsecurity in M10, the Data Center."\n\nRecommendation for Corrective Action 2 of 4\n\nThe Managing Director take immediate steps to ensure the\nenvironmental security of areas in which critical network\nresources are located. These steps should include (1)\ninstallation of smoke detection equipment in computer hub rooms;\n(2) installation of fire extinguishers in computer hub rooms; (3)\nevaluation of alternatives for periodically cleaning hub rooms;\n(4) evaluation of alternatives to minimize water damage exposure\n(including removal of equipment if necessary); (5) review of hub\nroom cabling to minimize accidental disconnections; (6) removal\nof cleaning solvents from hub rooms; and (7) periodic review of\nthe status of UPS equipment.\n\nManagement Response\nThe Managing Director has concurred with the recommendation and\nhas recognized actions taken by AMD-IM to improve the\nenvironmental security of critical network components. In\naddition, the Managing Director has stated that "(a)ll cleaning\nsolvents have been removed from hub rooms" and that the "periodic\nreview of UPS equipment and its stability has been scheduled for\ncompletion by May 1996."\n\n\n\n\n                               15\n\x0cFinding No. 2 - Inadequate Management Of Laptop Computer\n                Resources\n\nPrior to 1994, a limited number of laptops had been purchased by\nthe Commission for special purposes. In the past two years, as\npart of the FCC\'s automation initiative, the Commission has\npurchased over two-hundred (200) additional laptop computers. As\na result, the Commission currently maintains an inventory of\nlaptops totalling over three-hundred units. This represents\napproximately one laptop for every six employees. With the\nacquisition cost of laptops ranging from $2,455 to $6,149 per\nunit, it is clear that this equipment represents a significant\ncapital investment. Commensurate with this investment, the\nCommission has not established an adequate program for managing\nlaptop computer resources. During audit testing, we identified\nweaknesses which included: (1) inaccurate inventory records and\n(2) lack of periodic comprehensive physical inventories.\n\nAn inadequate laptop management process increases the risk of\nloss of scarce laptop computer resources and data. These\nconditions resulted from inadequate planning during program\nimplementation.\n\nRequirements For Managing Computing Resources Are Well\nEstablished By Industry Standards And Government Regulation\n\nThe requirement for management of portable computing resources is\naddressed in Federal and Agency regulation. Office of Management\nand Budget (OMB) Circular No. A-130, entitled "Management of\nFederal Information Resources", establishes a minimum set of\ncontrols to be included in Federal automated information systems\nsecurity programs. The Circular recognizes that "... the value\nof government information to the entire Nation, the management of\nFederal information resources is an issue of continuing\nimportance to the public and to the government itself." The\nCircular goes on to state that agencies shall "(d)evelop internal\nagency information policies and procedures and oversee, evaluate,\nand otherwise periodically review agency information management\nactivities" and that agencies "shall assure an adequate level of\nsecurity for all agency automated information systems." The\ncircular also directs that "agency and contractor personnel\ninvolved in the management, operations, programming, maintenance,\nor use of information technology are aware of their security\nresponsibilities and know how to fulfill them."\n\nFCC Directive 1479.1, entitled "FCC Computer Security Program",\naddresses guidelines for the protection of portable computing\nresources. The Directive recognizes that "with portable\ncomputing resources there are significant inherent exposures\nrelated to theft and the safeguarding if information" and that\n"FCC users should be particularly security conscious when\n\n\n                               16\n\x0ctravelling with portable computer resources." The Directive\nstates that "offices and work areas where FCC computer systems\nare located must be physically secured when unattended" and that\n"(a)dequate controls should be employed consistent with the\nvalue, exposure and sensitivity of the information and equipment\nthat is to be protected."\n\nFCC Directive 1054.1, entitled "Property Management", states that\nit is "FCC policy to assure the proper identification, custody,\nuse, care, maintenance and safeguarding of all Federal property."\n In addition, the Directive establishes objectives which include\n"(t)o list and account for all inventoried Commission property at\na central point within the agency" and "provide for the periodic\ninventory of all FCC inventoried property and reconciliation with\nthe appropriate property records." The Directive assigns\nAutomatic Data Processing (ADP) equipment management\nresponsibilities to the Associate Managing Director - Information\nManagement.\n\nRisks associated with managing portable computing resources is\naddressed in several modules of the SAC Report. Module nine of\nthe SAC Report, entitled "Security", states that\n"(m)icrocomputers present one of the fastest growing areas of\npotential data security vulnerability" and that "the most obvious\nform of microcomputer security is protecting the machines\nthemselves against theft." The Report goes on to state that\n"(m)icrocomputers and components are now exceeding typewriters\nand telephones as the office equipment most often stolen. Of\ncourse, the difference is that, unlike a typewriter,\nmicrocomputers with hard disks may contain critical data that are\ndifficult or impossible to replace."\n\nThe Commission Has Not Established An Effective Laptop Computer\nManagement Process\n\nIn mid-1994, as part of on-going efforts to automate operations,\nthe Commission began to procure laptop computers. Prior to that\ntime, the Commission had purchased a small number of laptops for\nspecial purposes. Based upon our review of Commission inventory\nrecords, as of October 1995, the Commission had three-hundred\nseven (307) laptop computers ranging in cost from $2,455 to\n$6,149 per unit.\n\nAs part of our review of the laptop management process, we\ninterviewed representatives from AMD-IM and Bureaus/Offices to\nobtain an understanding of the current laptop management process;\nobtained and reviewed laptop checkout documentation and\nassociated database records; and used statistical sampling\ntechniques to select laptop computer for detailed review.\n\nUsing a statistical model based upon a ninety-five percent (95%)\n\n\n                               17\n\x0cimplied confidence factor and an acceptable error rate of five\npercent (5%), we selected a sample of fifty-four (54) laptop\ncomputers from a universe of three-hundred seven (307). For each\nlaptop selected, we:\n\n     -used available inventory records to ascertain the\n          organization to which the laptop was currently\n          assigned;\n\n     -contacted the organization to determine the current\n          location of the equipment (where available, we\n          collected and reviewed documentation reporting\n          equipment disposition);\n\n     -contacted the individual to which the laptop was assigned\n          to determine if the individual had the equipment, and\n          determine physical and environmental security controls\n          used to protect the equipment; and\n\n     -attempted to physically verify the equipment (using\n          recorded serial #, FCC #, and barcode information).\n\nOur detailed review of selected laptop computers yielded the\nfollowing results:\n\n     \xc2\xb7Sixty-seven percent (67%) of the selected laptops were\n          physically verified (36 \xc3\xb7 54 = 67%). Verification was\n          done through either physical examination of the\n          equipment or, when this method was impractical,\n          verification of Serial Number, FCC Number, and Barcode\n          by employee. Four of the laptops in this category\n          could not be located initially despite an extensive\n          review of available inventory records. Information\n          regarding these laptops was provided to AMD-IM and,\n          through additional review, AMD-IM was able to locate\n          the equipment.\n\n     \xc2\xb7Eleven percent (11%) of the selected laptops could not be\n          located (6 \xc3\xb7 54 = 11%). Two of these laptops were\n          reported in Help Desk inventory records as being\n          checked out indefinitely. However, when we contacted\n          Commission personnel reported as having checked out the\n          equipment, we were informed that they did not have\n          these laptops. Another laptop was reported in\n          inventory records as having been distributed to the\n          Compliance and Information Bureau (CIB). We contacted\n          CIB and were informed that they were unable to locate\n          this equipment. The FCC Computer Security Officer\n          stated in a memorandum to the OIG that, in his opinion,\n          "given sufficient time, the remaining laptop computers\n\n\n\n                               18\n\x0c          can be located and accounted for."\n\n     \xc2\xb7One of the selected laptops was determined to have been\n          stolen in late November 1995. We were informed by the\n          FCC Computer Security Officer that a copy of the\n          Federal Protective Service report had been prepared for\n          this equipment.\n\n     \xc2\xb7Despite extensive efforts, we were unable to complete a\n          physical verification of twenty percent (20%) of the\n          laptops selected for review (11 \xc3\xb7 54 = 20%). In some\n          cases, employees using this equipment were on travel,\n          on leave, or out on disability during our review.\n          However, three employees did not produce equipment for\n          physical verification despite repeated requests to\n          cooperate with this review effort and repeated\n          assurances that cooperation was forthcoming.\n\nIn our opinion, the results of this detailed review of selected\nlaptops indicate significant deficiencies in the laptop\nmanagement process.\n\nLaptop Inventory Records Are Not Accurate\n\nThe official inventory of FCC laptop computers is maintained by\nthe Equipment Support Branch (ESB) within AMD-IM. We used their\ninventory report, dated October 6, 1995, as the basis for our\nselection of laptop computers for detailed review. Following our\nsample selection, we contacted Data Automation Liaison Officers\n(DALO) from each Bureau and Office and FCC Help Desk personnel to\nobtain any internal laptop inventory records that might reside in\ntheir respective Bureaus and Offices.\n\nStarting with the official ESB inventory report we attempted to\nlocate each individual laptop in our sample. Based upon our\nunsatisfactory results, we concluded that the official inventory\ndoes not accurately reflect the distribution of laptop resources\nto Bureaus/Offices or the Help Desk. Likewise, we determined\nthat, certain Help Desk and Bureau/Office inventory records do\nnot accurately reflect the physical location of the equipment.\n\nFor example, one of the laptops selected, a Toshiba 3400 CT -\nSerial Number 03421326, was reported in the official inventory as\nbeing assigned to the Customer Solutions Division of AMD-IM.\nTypically, this designation means that the equipment was assigned\nto the Computer Help Desk. However, in this case, no record of\nthis equipment existed in Help Desk records. Despite extensive\nefforts on the part of this office and AMD-IM, we were ultimately\nunable to locate this equipment.\n\n\n\n\n                               19\n\x0cIn another example, a selected laptop, Toshiba 1960 CS - Serial\nNumber 07419506, was reported in the official inventory as being\nassigned to the Customer Solutions Division of AMD-IM. A review\nof Help Desk records indicated that the laptop had been assigned\nto the Help Desk and had been signed out indefinitely to an\nindividual in the Common Carrier Bureau. We contacted the\nindividual and were informed that he did not have this equipment.\nWe passed this information along to the FCC Computer Security\nOfficer who was subsequently able to locate the equipment.\n\nIt should be noted that several Bureaus and Offices did maintain\naccurate laptops inventory records. For example, we reviewed\nrecords maintained by the Mass Media Bureau (MMB) and found a\ncomprehensive laptop management process.\n\nLaptop Computer Resources Are Not Periodically Inventoried\n\nFCC Directive 1054.1, entitled "Property Management", establishes\nrequirements for a "periodic inventory of all FCC inventoried\nproperty and reconciliation with the appropriate property\nrecords." As part of our review, we met with a representative\nfrom the Equipment Support Branch within AMD-IM to discuss laptop\ninventory procedures. We were informed that the Equipment\nSupport Branch has delegated responsibility for conducting laptop\ninventories to the Help Desk. We were further informed that this\nwas the result, in part, of problems associated with conducting\ninventories of laptop equipment. For example, we were informed\nthat some employees refuse to produce equipment for inventory\npurposes when requested. In addition, laptops are frequently\nmoved without reporting the information to the Equipment Support\nBranch.\n\nAlthough we were informed that periodic laptop inventory\nresponsibilities were delegated to Computer Help Desk staff, a\nrepresentative from the Computer Help Desk stated that laptops\nwere not periodically inventoried. Instead, Help Desk inventory\nrecord are checked for accuracy when, and if, equipment is\nreturned to the Help Desk for redistribution, repair, or\nenhancement. In our opinion, this process does not represent an\nadequate physical inventory process.\n\nWeaknesses In Laptop Management Increase The Risk Of Asset Loss\nAn inadequate laptop management process increases the risk of\nloss of laptop computer equipment and data. As part of our\nreview, we requested information about recent computer thefts at\nthe Commission. We received a memorandum from the FCC Computer\nSecurity Officer documenting theft for the period from June 1995\nto February 1996. During that period, seven (7) laptop\n\n\n\n\n                               20\n\x0ccomputers, valued at $21,5801, were reported stolen from\nheadquarters facilities. The effect of the loss of this\nequipment is magnified as a result of the difficult budget\nconditions currently faced by the Commission. As part of this\nreview, we have worked with the Computer Security Officer to\nidentify potential physical control alternatives for laptops\nincluding a chip based monitoring system.\n\nSeveral Conditions Have Prevented Implementation Of A Strong\nLaptop Management Process\n\nIn our opinion, the conditions identified in this review resulted\nfrom inadequate planning during program implementation. In mid-\n1994, the Commission began to purchase a large number of laptop\ncomputers. Some laptops were distributed directly to Bureaus and\nOffices while the remainder were assigned to the FCC Computer\nHelp Desk. The method by which these resources were managed was\nleft to the individual organizations. This lack of formal\nprogram establishment led to control weaknesses.\n\nFor those laptops assigned to the Computer Help Desk, management\nof the checkout process was originally accomplished using the\nHelp Desk call-in log. As part of our review, we obtained and\nreviewed a copy of the log for 1995. The log records a variety\nof information about each checkout including Client Name,\nOrganization, and Resolution. However, the log did not\nconsistently record information about the specific laptop checked\nout. As part of our detailed review of selected laptops, we\nreviewed records from the recently developed Help Desk laptop\nmanagement system. The current system is comprised of two\ndatabases, one for short term loans and one for indefinite loans.\n In our opinion, this process represents an improvement over the\noriginal log process.\n\nIn addition to reviewing Help Desk records, we reviewed inventory\nrecords maintained in the Bureaus and Offices. Generally, we\nfound that these records were well maintained. For example, we\nreviewed the program established by MMB and found a comprehensive\nprogram including formal policies and procedures and a database\nproviding a detailed history of MMB\'s laptop inventory.\n\nRecommendation for Corrective Action 3 of 4\nThe Managing Director: (1) conduct a complete inventory of\nCommission Laptop Computers and adjust inventory records to\nreflect the results of this action; and (2) decentralize the\n   1\n       In addition, the report identifies the loss of additional\nautomation equipment (including cellular phones, fax machines,\nprinters, components, etc.) with a combined value of over $57,400.\n\n\n\n                                21\n\x0cresponsibility for managing laptops checked out indefinitely from\nthe Help Desk to those Bureaus and Offices with the resources\nnecessary to independently manage the process. The Help Desk\nshould continue to manage laptops for those organizations who\nrequire that service.\n\nManagement Response\n\nThe Managing Director has concurred with the recommendation and\nstated that "(a) baseline inventory of all laptop computers has\nbeen scheduled for this fiscal year" and that "(a)s part of the\ncorrective action, improvements for the management of laptop\ncomputers is planned."\n\nRecommendation for Corrective Action 4 of 4\n\nThe Managing Director develop guidance for use by Bureaus and\nOffices managing laptop resources. This guidance should include\nnotification to users: (1) of their responsibilities for\npresenting equipment for physical inspection as part of the\nphysical inventory process; (2) of their responsibilities for\nensuring the physical security of laptops that have been assigned\nto them and their accountability for that equipment if it is lost\nor damaged through their negligence; (3) that equipment is to be\nused only for official FCC business; and (4) that software is not\nto be loaded onto laptops without being scanned for viruses.\n\nManagement Response\nThe Managing Director has concurred with the recommendation and\nstated that "(g)uidance will be prepared and disseminated to\nBureau and Office representatives responsible for the management\nof laptop computers." In referring to the guidance, the Managing\nDirector goes on to state that "(r)esponsiblities will be\noutlined and users will be notified of their responsibilities\nwhen they are assigned laptop computers for official use."\n\n\n\n\n                               22\n\x0c'